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fHi [ Abstract. Among the approximation methods for the verification of 

^3( . counter systems, one of them consists in mo del- checking their flat unfold- 

^^ ' ings. Unfortunately, the complexity characterization of mo del- checking 

^f^ , problems for such operational models is not always well studied except 

^S| ' for reachability queries or for Past LTL. In this paper, we characterize 

the complexity of model-checking problems on flat counter systems for 

the specification languages including first-order logic, linear mu-calculus, 

infinite automata, and related formalisms. Our results span different 

l_^ I complexity classes (mainly from PTime to PSpace) and they apply to 

jyj ■ languages in which arithmetical constraints on counter values are sys- 

^ ' tematically allowed. As far as the proof techniques are concerned, we 

provide a uniform approach that focuses on the main issues. 



1 Introduction 

O. 

m , Flat counter systems. Counter systems, finite-state automata equipped with pro- 

gram variables (counters) interpreted over non-negative integers, are known to 
^T ■ be ubiquitous in formal verification. Since counter systems can actually simulate 

>— ^ ' Turing machines [19], it is undecidable to check the existence of a run satis- 

fying a given (reachability, temporal, etc.) property. However it is possible to 
approximate the behavior of counter systems by looking at a subclass of witness 
runs for which an analysis is feasible. A standard method consists in consider- 
ing a finite union of path schemas for abstracting the whole bunch of runs, as 
;^ . done in [15]. More precisely, given a finite set of transitions A, a path schema 

is an oj-regular expression over A of the form L = pi{li)* ■ ■ ■ pk-i{lk-i)*Pk{lk)'^ 
where both p^'s and /^'s are paths in the control graph and moreover, the k^s 
are loops. A path schema defines a set of infinite runs that respect a sequence of 
transitions tliat belongs to L. We write Runs(co, L) to denote such a set of runs 
starting at the initial configuration cq whereas Reach(co,L) denotes the set of 
configurations occurring in the runs of Runs(co, L). A counter system is flattable 
whenever the set of configurations reachable from cq is equal to Reach(co, L) for 
some finite union of path schemas L. Similarly, a flat counter system, a system 
in which each control state belongs to at most one simple loop, verifies that the 
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set of runs from cq is equal to Runs(co, L) for some finite union of path schemas 
L. Obviously, flat counter systems are flattable. Moreover, reachability sets of 
flattable counter systems are known to be Presburger-definable, see e.g. [2,4,8]. 
That is why, verification of flat counter systems belongs to the core of methods 
for model-checking arbitrary counter systems and it is desirable to character- 
ize the computational complexity of model checking problems on this kind of 
systems (see e.g. results about loops in [3]). Decidability results for verifying 
safety and reachability properties on flat counter systems have been obtained 
in [4,8,3]. For the verification of temporal properties, it is much more difficult to 
get sharp complexity characterization. For instance, it is known that verifying 
flat counter systems with CTL* enriched with arithmetical constraints is decid- 
able [6] whereas it is only NP-complete with Past LTL [5] (NP-completeness 
already holds with fiat Kripke structures [11]). 

Our motivations. Our objectives are to provide a thorough classification of 
model-checking problems on fiat counter systems when linear-time properties 
are considered. So far complexity is known with Past LTL [5] but even the de- 
cidability status with linear /x-calculus is unknown. Herein, we wish to consider 
several formalisms specifying linear-time properties (FO, linear /x-calculus, in- 
finite automata) and to determine the complexity of mo del- checking problems 
on flat counter systems. Note that FO is as expressive as Past LTL but much 
more concise whereas linear /x-calculus is strictly more expressive than Past LTL, 
which motivates the choice for these formalisms dealing with linear properties. 

Our contributions. We characterize the computational complexity of model- 
checking problems on flat counter systems for several prominent linear-time 
specification languages whose alphabets are related to atomic propositions but 
also to linear constraints on counter values. We obtain the following results: 

The problem of model-checking first-order formulae on fiat counter 
systems is PSPACE-complete (Theorem 9). Note that model-checking 
classical first-order formulae over arbitrary Kripke structures is already known 
to be non-elementary. However the flatness assumption allows to drop the 
complexity to PSpace even though linear constraints on counter values are 
used in the specification language. 

Model-checking linear /i-calculus formulae on fiat counter systems 
is PSPACE-complete (Theorem 14). Not only linear /i-calculus is known 
to be more expressive than first-order logic (or than Past LTL) but also the 
decidability status of the problem on fiat counter systems was open [6]. So, 
we establish decidability and we provide a complexity characterization. 
Model-checking Biichi automata over fiat counter systems is NP- 
complete (Theorem 12). 
— Global model-checking is possible for all the above mentioned for- 
malisms (Corollary 16). 

The omitted proofs can be found in the Appendix. 



2 Preliminaries 

2.1 Counter Systems 

Counter constraints are defined below as a subclass of Presburger formulae whose 
free variables are understood as counters. Such constraints are used to define 
guards in counter systems but also to define arithmetical constraints in temporal 
formulae. Let C = {xi,X2, . . .} be a countably infinite set of counters (variables 
interpreted over non- negative integers) and AT = {pi,p2,...} be a countable 
infinite set of propositional variables (abstract properties about program points). 
We write C„ to denote the restriction of C to {xi, X2, . . . , x„}. The set of guards 
g using the counters from C„, written G(C„), is made of Boolean combinations 
of atomic guards of the form X]i=o o,i ■ xi ^ b where the a^'s are in Z, 6 G N 
and ^e {=, <, >, <, >}. For g e G(C„) and a vector v e N", we say that v 
satisfies g, written v [= g, if the formula obtained by replacing each x^ by v[i\ 
holds. For n > 1, a counter system of dimension n (shortly a counter system) 
S* is a tuple (Q, C„, Z\, 1) where: Q is a finite set of control states, 1 : Q — > 2 
is a labeling function, A <Z Q x G(C„) x Z" x Q is a finite set of transitions 
labeled by guards and updates. As usual, to a counter system S ~ {Q, C„, A, 1), 
we associate a labeled transition system TS{S) = (C, -^) where C = Q x N" is 
the set of configurations and ^-C C x Z\ x C is the transition relation defined 

by: {{q,v),S,{q',v')) G^ (also written (g,v) A (g',v')) iS S = (g,g,u,q') e A, 
V 1= g and v' = v + u. Note that in such a transition system, the counter values 
are non- negative since C — Q x N". 

Given an initial configuration cq £ Q x N", a run p starting from cq in 
5* is an infinite path in the associated transition system TS{S) denoted as: 

p := Co -^ • ■ • "'S Cm -^ ■ ■ ■ where c^ G Q x N" and Si e A for aU i G N. We 
say that a counter system is flat if every node in the underlying graph belongs 
to at most one simple cycle (a cycle being simple if no edge is repeated twice 
in it) [4,15,5]. We denote by CJ-'S the class of flat counter systems. A Kripke 
structure S can be seen as a counter system without counter and is denoted 
by {Q, A, 1) where A C Q x Q and 1 : Q — > 2'^"''. Standard notions on counter 
systems, as conflguration, run or flatness, naturally apply to Kripke structures. 



2.2 Model-Checking Problem 

We define now our main mo del- checking problem on flat counter systems param- 
eterized by a specification language C. First, we need to introduce the notion 
of constrained alphabet whose letters should be understood as Boolean combi- 
nations of atomic formulae (details follow). A constrained alphabet is a triple of 
the form (ai,a5„,E) where at is a finite subset of AT, agn is a finite subset of 
atomic guards from G(C„) and E is a subset of 2'^*^"^". The size of a constrained 
alphabet is given by size((ai,a5„,E)) — card(at) + card(a5„) -I- card(E) where 
card(X) denotes the cardinality of the set X. Of course, any standard alphabet 
(finite set of letters) can be easily viewed as a constrained alphabet (by ignoring 



the structure of letters). Given an infinite run p := (go, vq) — > (qi, vi) ■ • ■ from 
a counter system with n counters and an cj-word over a constrained alphabet 
w = ao,ai, . . . S E'^, we say that p satisfies w, written p \= w, whenever for 
i > 0, we have p € l(gi) [resp. p ^ l{qi)] for every p € (ui Hat) [resp. p e {at\ai)] 
and Vi ^ g [resp. v^ ^ g] for every g e (a^ n ag„) [resp. g G (ag„ \ ai)[. 

A specification language C over a constrained alphabet (ai,a5„,E) is a set 
of specifications A, each of it defining a set L(A) of w-words over E. We will 
also sometimes consider specification languages over (unconstrained) standard 
finite alphabets (as usually defined). We now define the model- checking problem 
over flat counter systems with specification language C (written MC{C,CJ-'S)): 
it takes as input a fiat counter system S, a configuration c and a specification A 
from C and asks whether there is a run p starting at c and w G L'^ in L(A) such 
that p \= w. We write p \= A whenever there is w G L(A) such that p \= w. 

2.3 A Bunch of Specification Languages 

Infinite Automata. Now let us define the specification languages BA and ABA, 
respectively with nondeterministic Biichi automata and with alternating Biichi 
automata. We consider here transitions labeled by Boolean combinations of 
atoms from at U ag-n- A specification A in ABA is a structure of the form 
{Q, E, go, F) where ^ is a finite subset of Q x B(ai U agn) x B+((5) and B+(Q) 
denotes the set of positive Boolean combinations built over Q. Specification A is 
a concise representation for the alternating Biichi automaton Ba = {QtStQo, F) 
where S : Q x 2«*uas„ ^ m+{Q) and S{q,a) '^ V(,,^,^')eB. "h^ V-'- We say 
that A is over the constrained alphabet {at, agn,!,), whenever, for all edges 
{ci,ip,ip') G E, ip holds at most for letters from E (i.e. the transition relation 
of Ba belongs to Q x E ^ B+((3) ). We have then L(A) = Ij{Ba) with the usual 
acceptance criterion for alternating Biichi automata. The specification language 
BA is defined in a similar way using Biichi automata. Hence the transition re- 
lation E oi A= {Q, E, <7o, F) in BA is included in Q x M{at U ag„) x Q and the 
transition relation of the Biichi automaton Ba is then included in Q x 2"*^"^" x Q. 

Linear-time Temporal Logics. Below, we present briefiy three logical languages 
that are tailored to specify runs of counter systems, namely ETL (see e.g. [28,21]), 
Past LTL (see e.g. [23]) and linear /x-calculus (or /xTL), see e.g. [25[. A specifi- 
cation in one of these logical specification languages is just a formula. The dif- 
ferences with their standard versions in which models are w-sequences of propo- 
sitional valuations are listed below: models are infinite runs of counters systems; 
atomic formulae are either propositional variables in AT or atomic guards; given 
an infinite run p := (go, vq) — !> (gi, Vi) • • • , we will have p,i \= p <=^ p G l(<Zi) 
and p,i \= g, <4> v^ ^ g. The temporal operators, fixed point operators and 
automata-based operators are interpreted then as usual. A formula (j) built over 
the propositional variables in at and the atomic guards in agn defines a language 
L(0) over {at, agn, E) with E = 2°-'^'~'"-S"' . There is no need to recall here the syntax 
and semantics of ETL, Past LTL and linear /x-calculus since with their standard 



definitions and with tlie above-mentioned differences, tlieir variants for counter 
systems are defined unambiguously (see a lengtliy presentation of Past LTL for 
counter systems in [5]). However, we may recall a few definitions on-the-fly if 
needed. Herein the size of formulae is understood as the number of subformulae. 

Example. In adjoining figure, we present a flat counter system with two counters 
and with labeling function 1 such that l^q^) = {p,q} and l{q5) = {p}. We would 
like to characterize the set of configurations c with control state qi such that 
there is some infinite run from c for which after some position i, all future even 
positions j (i.e. i =2 j) satisfy that p holds and the first counter is equal to the 
second counter. 




T,(0,0) 



(JQt,-3,0, 



T,(0.0) 



:(xi,x2),(0,i) 



This can be specified in linear /i-calculus using as 
atomic formulae either propositional variables or 
atomic guards. The corresponding formula in linear 
/i-calculus is: /iZi.(X(i/Z2.(p A (xi — X2 =0) AXXZ2) V 
Xzi). Clearly, such a position i occurs in any run 
after reaching the control state 53 with the same 
value for both counters. Hence, the configurations 
{qi , v) satisfying these properties have counter val- 
ues V G N^ verifying the Presburger formula below: 



3 y (((xi = 3y + X2) A (V y' g(x2 + y', X2 + y') A g'(x2 + y', X2 + y' + 1))) V 

((X2 = 2y + xi) A (V y' g(xi + y', Xi + y') A g'(xi + y', xi + y' + 1)))) 

In the paper, we shall establish how to compute systematically such formulae 
(even without universal quantifications) for different specification languages. 



3 Constrained Path Schemas 

In [5] we introduced minimal path schemas for flat counter systems. Now, we 
introduce constrained path schemas that are more abstract than path schemas. 
A constrained path schema cps is a pair {pi{li)* ■ ■ ■ pk-i{lk-i)*Pk{lk)'^ ,4'i'>^ij 
...,Xfc^i)) where the first component is an w-regular expression over a con- 
strained alphabet (ai,a(/„,E) withpi,/i's in E*, and 0(xi, . . . , Xfc_i) £ G(Cfc_i). 
Each constrained path schema defines a language L(cps) C E" given by L(cps) = 
{piihT' ■ ■ ■Pk-iih-iT'-'Pkilk)'^ : (t){ni,...,nk-i) holds true}. The size of 
cps, written size(cps), is equal to 2fc-|-len(pi/i • • ■ pk-ilk-iPkh) + size{(f>{xi, . . . , 
Xfc_i)). Observe that in general constrained path schemas are defined under 
constrained alphabet and so will the associated specifications unless stated oth- 
erwise. 

Let us consider below the three decision problems on constrained path schemas 
that are useful in the rest of the paper. Consistency problem checks whether 
L(cps) is non-empty. It amounts to verify the satisfiability status of the second 
component. Let us recall the result below. 



Theorem 1. [22] There are polynomials polj^(-), pol2(-) and pol3(-) such 
that for every guard g, say in G(C„), of size N, we have (I) there exist B C 
[0, 2P°ii(^)]" and Pi, . . . , P„ e [0, 2P°ii(^)]" with a < 2P°i2(^) such that for ev- 
ery y £ N", y\=giff there are b G B and a £ N" such that y = b + a[l]Pi + 

h a[a]Pa; (II) if g is satisfiable, then there is y E [0, 2P°^3(^)]" s.t. y (= S- 

Consequently, the consistency problem is NP-complete (the hardness being ob- 
tained by reducing SAT). The intersection non-emptiness problem, clearly re- 
lated to model-checking problem, takes as input a constrained path schema 
cps and a specification A E C and asks whether L(cps) n L(A) 7^ 0. Typi- 
cally, for several specification languages C, we establish the existence of a com- 
putable map fc (at most exponential) such that whenever L(cps) n L(j4) ^ 
there is pi(?i)"^ • • ■ Pk~i{lk-i)"''^^Pk{lk)'^ belonging to the intersection and for 
which each Ui is bounded by /£(j4, cps). This motivates the introduction of the 
membership problem for C that takes as input a constrained path schema cps, 
a specification A E C and ui, . . . ,nk-i E N and checks whether pi{li)^^ ■■■ 
Pk-i{lk-i)"'''~^Pk{lk)'^ S L(j4). Here the n^'s are understood to be encoded in 
binary and we do not require them to satisfy the constraint of the path schema. 
Since constrained path schemas are abstractions of path schemas used in [5], 
from this work we can show that runs from flat counter systems can be repre- 
sented by a finite set of constrained path schemas as stated below. 

Theorem 2. Let at be a finite set of atomic propositions, ag-a be a finite set of 
atomic guards from G(C„), S be a flat counter system whose atomic propositions 
and atomic guards are from atUagn and cq = {qq, Vq) be an initial configuration. 
One can construct in exponential time a set X of constrained path schemas 
s.t.: (I) Each constrained path schema cps in X has an alphabet of the form 
(ai,a(/„,E) (£ may vary) and cps is of polynomial size. (II) Checking whether a 
constrained path schema belongs to X can be done in polynomial time. (Ill) For 
every run p from co, there is a constrained path schema cps in X and w E L(cps) 
such that p \= w. (IV) For every constrained path schema cps in X and for every 
w E L(cps), there is a run p from cq such that p \= w. 

In order to take advantage of Theorem 2 for the verification of flat counter sys- 
tems, we need to introduce an additional property: C has the nice subalphabet 
property iff for all specifications A E C over {at,agn,'^) and for all constrained 
alphabets (at, agn, S'), one can build a specification A' over {at, agn, 2') in poly- 
nomial time in the sizes of A and {at, agn, T.') such that L{A) n (E')" = L(A'). 
We need this property to build from A and a constraint path schema over 
{at, agn,!,'), the specification A'. This property will also be used to transform a 
specification over {at, agn, E) into a specification over the finite alphabet L' . 

Lemma 3. BA, ABA, /iTL, ETL, Past LTL have the nice subalphabet property. 

The abstract Algorithm 1 which performs the following steps (1) to (3) takes as 
input S, a configuration cq and A E C and solves MC{C,CJ^S): (1) Guess cps 
over {at, agn, I.') in X; (2) Build A' such that L{A) n (E')" = HA'); (3) Return 
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L(cps) n L(A') ^ 0- Thanks to Theorem 2, the first guess can be performed 
in polynomial time and with the nice subalphabet property, we can build A' in 
polynomial time too. This allows us to conclude the following lemma which is a 
consequence of the correctness of the above algorithm (Appendix C). 

Lemma 4. // C has the nice subalphabet property and its intersection non- 
emptiness problem is in NP/resp. PSpace/, then yiC{C,CJ^S) is in NP[resp. 
PSpace/ 

We know that the membership problem for Past LTL is in PTime and the inter- 
section non-emptiness problem is in NP (as a consequence of [5, Theorem 3]). By 
Lemma 4, we are able to conclude the main result from [5]: MC(PastLTL,C7^iS) 
is in NP. This is not surprising at all since in this paper we present a general 
method for different specification languages that rests on Theorem 2 (a conse- 
quence of technical developments from [5]). 



4 Taming First-Order Logic and Flat Counter Systems 

Li this section, we consider first-order logic as a specification language. By 
Kamp's Theorem, first-order logic has the same expressive power as Past LTL 
and hence model-checking first-order logic over fiat counter systems is decid- 
able too [5]. However this does not provide us an optimal upper bound for the 
model-checking problem. In fact, it is known that the satisfiability problem for 
first-order logic formulae is non-elementary and consequently the translation into 
Past LTL leads to a significant blow-up in the size of the formula. 

4.1 First-Order Logic in a Nutshell 

For defining first-order logic formulae, we consider a countably infinite set of 
variables Z and a finite (unconstrained) alphabet E. The syntax of first-order 
logic over atomic propositions FOe is then given by the following grammar: 
::= a(z) | 5(z,z') | z < z' | z = z' | -i0 | A 0' | 3z 0(z) where a e E and 
z, z' £ Z. For a formula (p, we will denote by free{(j)) its set of free variables de- 
fined as usual. A formula with no free variable is called a sentence. As usual, 
we define the quantifier height qh{(j)) of a formula 4> as the maximum nesting 
depth of the operators 3 in 0. Models for FOj are w-words over the alphabet 
E and variables are interpreted by positions in the word. A position assignment 
is a partial function / : Z — > N. Given a model w G E", a FOe formula and 
a position assignment / such that /(z) e N for every variable z e free{(f>), the 
satisfaction relation \=f is defined as usual. Given a FOs sentence 0, we write 
w \= (j) when w \=f (j) for an arbitrary position assignment /. The language of 
w- words w over E associated to a sentence (f> is then £(0) = {w G E" | w \=^ (p}. 
For n G N, we define the equivalence relation «„ between w-words over E as: 
w ~„ w' when for every sentence </> with qh{4>) < n, w ^ (p \S w' \^ (f). 



FO on CS. FO formulae interpreted over infinite runs of counter systems are 
defined as FO formulae over a finite alphabet except that atomic formulae of the 
form a(z) are replaced by atomic formulae of the form p(z) or g(z) where p is 
an atomic formula or g is an atomic guard from G(C„). Hence, a formula (j) built 
over atomic formulae from a finite set at of atomic propositions and from a finite 
set agn of atomic guards from G(C„) defines a specification for the constrained 
alphabet {at, atn, 2"*^"^"). Note that the alphabet can be of exponential size in 
the size of (f) and p(z) actually corresponds to a disjunction Vpea '^(^)- 

Lemma 5. FO has the nice subalphabet property. 

We have taken time to properly define first-order logic for counter systems 
(whose models are runs of counter systems, see also Section 2.2) but below, we 
will mainly operate with FOj over a standard (unconstrained) alphabet. Let us 
state our first result about FOe which allows us to bound the number of times 
each loop is taken in a constrained path schema in order to satisfy a formula. 
We provide a stuttering theorem equivalent for FOy. formulas as is done in [5] 
for PLTL and in [13] for LTL. The lengthy proof of Theorem 6 uses Ehrenfeuch- 
Fraisse game (Appendix E). 

Theorem 6 (Stuttering Theorem). Letw = wis'^W2,w' = wis'^~^^W2 £ E'^ 
such that N >1, M > 2^+^ and s e E+. Then w Wjy w' . 

4.2 Model-Checking Flat Counter Systems with FO 

Let us characterize the complexity of MC{FO, CTS). First, we will state the 
complexity of the intersection non-emptiness problem. Given a constrained path 
schema cps and a FO sentence ?/;, Theorem 1 provides two polynomials polj^ and 
P0I2 to represent succinctly the solutions of the guard in cps. Theorem 6 allows 
us to bound the number of times loops are visited. Consequently, we can compute 
a value /fo('0j cps) exponential in the size of ^ and cps, as explained earlier, 
which allows us to find a witness for the intersection non-emptiness problem 
where each loop is taken a number of times smaller than /fo('0j cps). 

Lemma 7. Let cps be a constrained path schema and ^ be a FOz sentence. 
Then L(cps) n L(')/;) is non-empty iff there is an uj-word in L(cps) n L('0) in 
which each loop is taken at most 2(9'i('A)+2)+P°ii(sizc(cps))+poi2(sizc(cps)) ^j^g^^ 

Hence /Fo(V',cps) has the value 2(9''('/')+2)+(p°ii+P°i2)(^i^c(cps))_ Furthermore 
checking whether L(cps) n L('0) is non-empty amounts to guess some n G 
[0,2(«''(''')+2)+P°ii('''^°(=P=))+P°i2('5i^°(=p=))]fc-i and verify whether w = _pi(li)"[il 
■ ■ ■ Pk-iih-iT'^^^^^PkihY e L(cps) n L(?A). Checking if w e L(cps) can be 
done in polynomial time in {qh{'ip) + 2) +pol^(size(cps)) -|-pol2(size(cps)) (and 
therefore in polynomial time in size('(/') -I- size(cps)) since this amounts to ver- 
ify whether n \= (j). Checking whether w G L('i/;) can be done in exponential 
space in size('(/') -l-size(cps) by using [17, Proposition 4.2[. Hence, this leads to a 
nondeterministic exponential space decision procedure for the intersection non- 
emptiness problem but it is possible to get down to nondeterministic polynomial 



space using the succinct representation of constrained path schema as stated by 
Lemma 8 below for which the lower bound is deduced by the fact that model- 
checking ultimately periodic words with first-order logic is PSPACE-hard [17]. 

Lemma 8. Membership problem with FOe is PSPACE-complete. 

Note that the membership problem for FO is for unconstrained alphabet, but due 
to the nice subalphabet property of FO, the same holds for constrained alphabet 
since given a FO formula over (at,a5„,E), we can build in polynomial time a 
FO formula over {at,ag„,I.') from which we can build also in polynomial time 
a formula of FOj' (where E' is for instance the alphabet labeling a constrained 
path schema). We can now state the main results concerning FO. 

Theorem 9. (I) The intersection non- emptiness problem with FO is PSpace- 
complete. (II) MC(FO, CTS) is PSPACE-complete. (Ill) Model-checking flat Krip- 
ke structures with FO is PSPACE-complete. 

Proof. (I) is a consequence of Lemma 7 and Lemma 8. We obtain (II) from (I) 
by applying Lemma 4 and Lemma 5. (Ill) is obtained by observing that flat 
Kripke structures form a subclass of flat counter systems. To obtain the lower 
bound, we use that model-checking ultimately periodic words with first-order 
logic is PSPACE-hard [17]. D 

5 Taming Linear /^-calculus and Other Languages 

We now consider several specification languages defining w-regular properties 
on atomic propositions and arithmetical constraints. First, we deal with BA by 
establishing Theorem 10 and then deduce results for ABA, ETL and /iTL. 

Theorem 10. Let B ~ {Q,I,,qQ, A, F) be a Biichi automaton (with standard 
definition) and cps = {pi{li)* ■ ■ ■ pk-i{lk-i)*Pk{lk)'^ , (t){'>^i, ■ ■ ■ ,^k-i)) be a con- 
strained path schema over S. We have L(cps) fl L(;B) ^ 9 iff there exists y G 
[0^ 2P°ii(^'^'=(=P^))+2.card(g)'= x2P°ii("'^<=(=P^))+P°i2(>5izc(cps))]fe-i ^^^^^ that pi{li)y^^'^ 

. . .pk-i{lk-i)'^^^^^'Pklk G L(/B) n L(cps) (polj^ and polj are from Theorem 1). 

Theorem 10 can be viewed as a pumping lemma involving an automaton and 
semilinear sets. Thanks to it we obtain an exponential bound for the map /ba so 
that /ba(S, cps) = 2P°ii('''^°('=P=))+2.card(Q)^''^'=('=P^) x2P°^i("'^'=(=P^))+P°'2(sizo(cps))_ 

So checking L(cps) n L(B) ^ amounts to guess some n £ [q, 2P°^i('''^°(=p=)) + 
2.card(Q)"'^<=(=P^) x2P°ii("'^<'('=P^))+P°i2(size(cps))jfe-i ^^^^ ^^ ^^^-.^^ whether the word 

w ^ pi(/i)"[il---pfe-i(^fe-i)"[''~^lpfc(^fe)" e L(cps) nL(S). Checking whether 
w e L(cps) can be done in polynomial time in size(i3) -I- size(cps) since this 
amounts to check n ^ 0. Checking whether w G L(£?) can be also done in poly- 
nomial time by using the results from ]17]. Indeed, w can be encoded in polyno- 
mial time as a pair of straight-line programs and by ]17, Corollary 5.4] this can 
be done in polynomial time. So, the membership problem for Biichi automata 
is in PTiME. By using that BA has the nice subalphabet property and that we 
can create a polynomial size Biichi automata from a given BA specification and 
cps, we get the following result. 



Lemma 11. The intersection non-emptiness problem with BA is ^V -complete. 

Now, by Lemma 3, Lemma 4 and Lemma 11, we get the result below for which 
the lower bound is obtained from an easy reduction of SAT. 

Theorem 12. MC(BA,CJ'5) is NP-complete. 

We are now ready to deal with ABA, ETL and linear /i-calculus. A language 
C has the nice BA property iff for every specification A from C, we can build a 
Biichi automaton Ba such that Ij{A) = L{Ba), each state of Ba is of polynomial 
size, it can be checked if a state is initial [resp. accepting] in polynomial space 
and the transition relation can be decided in polynomial space too. So, given a 
language C having the nice BA property, a constrained path schema cps and 
a specification in A G /!, if L(cps) n L(A) is non-empty, then there is an w- 
word in L(cps) n Ij{A) such that each loop is taken at most a number of times 
bounded by fBAiBA, cps). So /^(A, cps) is obviously bounded by /ba('B^, cps). 
Hence, checking whether L(cps)nL(A) is non-empty amounts to guess some n S 
[0,/£(A,cps)]'=-i and check whether u;=pi(?i)"W-.-pfe_i(/fe_i)"['=-ilpfe(?fc)"G 
L(cps) n L(j4). Checking whether w £ L(cps) can be done in polynomial time 
in size{A) -\- size(cps) since this amounts to check n ^ (j). Checking whether 
w G L(^) can be done in nondeterministic polynomial space by reading w while 
guessing an accepting run for Ba- Actually, one guesses a state q from Ba and 
check whether the prefix pi{li)'^^^^ • ■ • pk-i{lk-i)'^^'^~^^Pk can reach it and then 
nonemptiness between (Ik)'^ and the Biichi automaton B\ in which q is an initial 
state is checked. Again, this can be done in nondeterministic polynomial space 
thanks to the nice BA property. We obtain the lemma below. 

Lemma 13. Membership problem and intersection non-emptiness problem for 
C having the nice BA property are in P Space. 

Let us recall consequences of results from the literature. ETL has the nice BA 
property by [26], linear /i-calculus has the nice BA property by ]25] and ABA 
has the nice BA property by ]20]. Note that the results for ETL and ABA can 
be also obtained thanks to translations into linear /x-calculus. By Lemma 13, 
Lemma 4 and the above-mentioned results, we obtain the following results. 

Theorem 14. MC(ABA,CJ">S), MC(ETL,CJ'5) and MC(/iTL,CJ">S) are m 
PSpace. 

Note that for obtaining the PSpace upper bound, we use the same procedure for 
all the logics. Using that the emptiness problem for finite alternating automata 
over a single letter alphabet is PSPACE-hard [9], we are also able to get lower 
bounds. 

Theorem 15. (I) The intersection non-emptiness problem for ABA [resp. /iTL/ 
is PSPACE-hard. (II) MC{ABA,CTS) andMC{^l^L,CTS) are PSPACE-hard. 

According to the proof of Theorem 15 (Appendix K), PSPACE-hardness al- 
ready holds for a fixed Kripke structure, that is actually a simple path schema. 
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Hence, for linear /i-caluclus, there is a complexity gap between model-checking 
unconstrained path schemas with two loops (in UPHco-UP [10]) and model- 
checking unconstrained path schemas (Kripke structures) made of a single loop, 
which is in contrast to Past LTL for which model-checking unconstrained path 
schemas with a bounded number of loops is in PTiME [5, Theorem 9]. 

As an additional corollary, we can solve the global model-checking prob- 
lem with existential Presburger formulae. The global model-checking consists in 
characterizing the set of initial configurations from which there exists a run sat- 
isfying a given specification. We knew that Presburger formulae exist for global 
model-checking [6] for Past LTL (and therefore for FO) but we can conclude that 
they are structurally simple and we provide an alternative proof. Moreover, the 
question has been open for /iTL since the decidability status of MC{pTL, CTS) 
has been only resolved in the present work. 

Corollary 16. Let C be a specification language among FO, BA, ABA, ETL or 
/nTL. Given a fiat counter system S , a control state q and a specification A in 
C, one can effectively build an existential Presburger formula (t>{zi, . . . ,z„) such 
that for all v e N". v \= (f> iff there is a run p starting at {q, v) verifying p \— A. 

6 Conclusion 

We characterized the complexity of MC(>C, CJ-S) for prominent linear-time spec- 
ification languages C whose letters are made of atomic propositions and linear 
constraints. We proved the PSPACE-completeness of the problem with linear p- 
calculus (decidability was open), for alternating Biichi automata and also for 
FO. When specifications are expressed with Biichi automata, the problem is 
shown NP-complete. Global model-checking is also possible on flat counter sys- 
tems with such specification languages. Even though the core of our work relies 
on small solutions of quantifier-free Presburger formulae, stuttering properties, 
automata-based approach and on-the-fiy algorithms, our approach is designed to 
be generic. Not only this witnesses the robustness of our method but our com- 
plexity characterization justifies further why verification of flat counter systems 
can be at the core of methods for model-checking counter systems. Our main 
results are in the table below with useful comparisons ('Ult. periodic KS' stands 
for ultimately periodic Kripke structures namely a path followed by a loop). 





Flat counter systems 


Kripke struct. 


Flat Kripke struct. 


Ult. periodic KS 


/iTL 


PSpace-C (Thm. 14) 


PSpace-C |25| 


PSpace-C (Thm. 14) 


in UPnco-UP |18| 


ABA 


PSpace-C (Thm. 14) 


PSpace-C 


PSpace-C (Thm. 14) 


in PTiME (see e.g. [12, p. 3|) 


ETL 


in PSpace (Thm. 14) 


PSpace-C |23| 


in PSpace |23| 


in PTiME (see e.g. |2ia2|) 


BA 


NP-C (Thm. 12) 


in PTiME 


in PTiME 


in PTiME 


FO 


PSpace-C (Thm. 9) 


Non-el. |24] 


PSpace-C (Thm. 9) 


PSpace-C |17| 


Past LTL 


NP-C |5| 


PSpace-C |23| 


NP-C |11,5] 


PTiME |14] 
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A Proof of Theorem 2 

Below, we provide the main steps of the proof, details can be found in [5] . 
Proof, (sketch) Let us explain how to build the set X. 

1. Given a flat counter system S and a state q from c, there is at most an 
exponential number of minimal path schemas starting at q in the sense of [5, 
Lemma 4]. Let Yi be this set of minimal path schemas. 

2. For each path schema P in yi, there is a set of path schemas Yp such that 
the path schemas in Yp have no disjunctions in guards and satisfaction of 
guards can be concluded from the states, see [5, Theorem 14]. Let I2 be this 
set of unfolded path schemas and it is of cardinality at most exponential. 

3. Following [5, Lemma 12], every path schema from Y2 is equivalent to a con- 
strained path schema. The set X is precisely the set of constrained path 
schemas obtained from all the unfolded path schemas from Y2. 

Completeness of the set X is a consequence of ]5, Lemma 12] and [5, Theorem 
14(4-6)]. Satisfaction of the size constraints is a consequence of [5, Lemma 12] 
and ]5, Theorem 14(2-3)]. D 

B Proof of Lemma 3 



Proof. Let A — {Q, E, qo, F) be a specification in BA. over the alphabet {at, agn, E) 
and E' C L. The specification A' = {Q, E', qo, F) such that L(A') = L(A)n(E')'^ is 

defined as follows: for every q ^ q' ^ E, we include in E' the edge q — > 

q' where ipa is defined as a conjunction made of positive literals from a and neg- 
ative literals from (atUagn) \a. A similar transformation can be performed with 
specifications in ABA. 

Let (/) be a formula for C among linear /it-calculus, ETL or Past LTL built 
over atomic formulae in atUag„ and {at, agn, E') be a constrained alphabet. The 
formulae (j)' such that L((/)') — L{(j)) D (E')" is obtained from (j) by replacing every 
atomic formula ip by VjaeE'lvea} Va- □ 

C Correctness of Algorithm 1 

Proof First assume there exists a run p oi S starting at cq such that p\= A. By 
Theorem 2, there is a constrained path schema cps with an alphabet of the form 
{at,ag„,T,') in X and w G L(cps) such that p \= w. Consequently we deduce 
that w G L{A) and that L(cps) n L{A) ^ 0. Since L(cps) C (E')" and since 
L(A) n (E')" = L(A'), we deduce that L(cps) nL(A') ^ 0. Hence the Algorithm 
has an accepting run. 

Now if the Algorithm 1 has an accepting run, we deduce that there exists 
a constrained path schema cps with an alphabet of the form {at, agn, ^') in X 
such that there exists a word w in L(cps) n L(A'). Using the nice subalphabet 
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property we deduce that w G L(^) and by the last point of Theorem 2, we know 
that there exists a run p from S starting at cq such that p |= w. This allows us 
to conclude that p ^ A. D 

D Proof of Lemma 5 

Proof. Consider a FO formula (f> that defines a specification over the constrained 
alphabet {at,agn,T.) with E = 2°*^''9". Consider a subalphabet E' C E. Let 
(/)" be the formula obtained from (f> by replacing every occurrence of p(z) by 
V{aeE'|pea} «(z) and every occurrence of g(z) is replaced by V{ae!:'lsea} "-i^)- I* 
is easy to see that, by construction, L{(f)") — L{(p') D (E)" D 

E EF Games and Proof of Theorem 6 

E.l Ehrenfeucht-Prai'sse Games 

Ehrenfeucht-Frai'sse (EF) game is a well known technique to determine whether 
two structures are equivalent with respect to a set of formulae. We recall here the 
definition of a EF game adapted to our context. Given N gN and two w-words 
w, w' over E, the main idea of the corresponding EF game is that two players, the 
Spoiler and the Duplicator, plays in a turn based manner. The Spoiler begins 
by choosing a word between w and w' and a position in this word, then the 
Duplicator aims at finding a position in the other word which is similar and this 
during TV rounds. At the end, the Duplicator wins if the set of chosen positions 
respects some isomorphism. We now move to the formal definition of such a 
game. 

Let w and w' be two w-words over E. We define a play as a finite sequence of 
triples {pi,ai,bi){p2,a2, ^2) • • • {Pi, Ci, h) in ({0, 1} x N^)* where for each triple 
the first element describes which word has been chosen by the Spoiler (0 for 
the word w), then the second element corresponds to the position chosen in w 
and the third element the position chosen in w' by the Spoiler or the Duplicator 
according to the word chosen by the Spoiler. For instance if pi — 1, this means 
that at the first turn Spoiler has chosen the position 61 in w' and Duplicator 
the position ai in w. A play of size i € N is called an i-round play (a 0-round 
play being an empty sequence). A strategy for the Spoiler is a mapping as '■ 
({0, 1} X N^)* -^ {0, 1} X N which takes as input a play and outputs or 1 for 
words w or w' respectively and a position in the word. Similarly, a strategy for 
the Duphcator is a mapping an : ({0, 1} x N^)* x ({0, 1} x N) -> N with the 
difference being that Duplicator takes into account the position played by the 
Spoiler in the current round. For all i € N, a strategy as for the Spoiler and 
a strategy ao for the Duplicator, the i-round play over w and w' following as 
and cr_D is defined inductively as follows: n"^'"'^ {w,w') ~ II'[f{'^^{w,w'){p,a,b) 
where if p = 0, (0, a) = aD{n^ff''{w,w')) and b = as{n^ff''{w,w'),{0,a)) 
and if p = 1, (1,6) = aD{n^ff" {w,w')) and a = as{n^ff" iw,w'), (1,6)). 
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For A^ G N, a iV-round play [pi, oi, 6i)(p2, 02, ^2) • • • (pn, apf, bpf) over w and 
w' is winning for Duplicator iff the following conditions are satisfied for all i,jG 

[1,7V]: 



— ai ^ aj iff bi = bj , 




— ai + 1 — aj iS bi + 1 ~ 


.6,, 


— ai < aj iff bi < bj , 




- w{ai) = u;'(6,). 





A iV-round EF game over the w-words w,w', denoted as EFiy{w,w'), is said 
to be winning if there exists a strategy ao for Duplicator such that for all 
strategies as of spoiler, the play II'^^''^'^{w,w') is winning for Duplicator. We 
write w =^ w' iff the game EFn{w,w') is winning. Theorem 17 below states 
that two cj-words, the A'^-round game is winning iff these two w-words satisfy 
the same set of first-order formulae of quantifier height smaller than N . 

Theorem 17 (EF Theorem, see e.g. [16]). For any two uj-words w,w' over 
E, W EE^ w' iffw «^ w'. 

We will use EF games for FOe formulae to prove a stuttering theorem which will 
allow us to bound the number of times each loop needs to be taken in a path 
schema in order to satisfy a FOj formula. Note that in [7] , EF games have been 
introduced for the specific case of LTL specifications here also to show some 
small model properties. 



E.2 Stuttering Theorem for FOe 

In this section, we prove that if in an cj-sequence w, a subword s is repeated con- 
secutively a large number of times, then this w-word and other w-words obtained 
by removing some of the repetitions of s satisfy the same set of FOj sentences, 
this is what we call the stuttering theorem for FOe. Such a result will allow us 
to bound the repetition of iteration of loops in path schema and thus to obtain 
a model-checking algorithm for the logic FOe optimal in complexity. In order to 
prove the stuttering theorem, we will use EF games. 

In the sequel we consider a natural A^ > 1 and two w-words over E of the 
following form w = wiS^W2,w' = WiS^^+''-W2 E E" with M > 2^+\ wi G E*,s e 
E"*" and W2 G E". We will now show that the game EFn{w,w') is winning. The 
strategy for Duplicator will work as follows: at the i-th round (for i < N), if the 
point chosen by the Spoiler is close to another previously chosen position then 
the Duplicator will choose a point in the other word at the exact same distance 
from the corresponding position and if the point is far from any other position 
then in the other word the Duplicator will chose a position also far away from 
any other position. 

Before providing a winning strategy for the Duplicator we define some in- 
variants on any i-round play (with i < N) that will be maintained by the Dupli- 
cator's strategy. In order to define this invariant and the Duplicator's strategy, 
let introduce a few notations: 
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— a_3 = b-3 = 0; a_2 = &-2 = lcii(wi); 

— a_i = lcn(wis*^) and fe_i = \cn{wis'^^^^); 

— ao = bo=uj. 

We extend the substraction and addition operations in order to deal with N U 
{— w, w} such that: a — w = — w, cu — a — lo and a; + Q! = a;ifQ:GN (no need to 
define the other cases for what follows). The relation < on NU{— cj, cj} is extended 
in the obvious way. Given a i-roundplay 77^ = (pi, ai, bi){p2, 02, ^2) • • • (Pi, o-i, bi), 
we say that 77^ respects the invariant 3 iff the following conditions are satisfied 
for all j, k G [—3, i]: 

1. aj < flfe iff bj < bk, 

2. I aj - Ofc |< 2^+i-ncn(s) iff | bj - bk \< 2^+i-ncn(s), 

3. I flj — Ofc |< 2"'^+"'^^*lcn(s) implies aj — a^ = bj — bk, 

4. flj < a_2 or bj < 6_2 implies bj = aj, 

5. aj > a_i or bj > 6_i implies bj = aj + lcn(s), 

6. a_2 < flj < fl-i or fe_2 < &j < &-1 implies | a^ — bj \= mod lcn(s). 

First we remark the invariant 3 is a sufficient condition for a play to be winning 
as stated by the following lemma. 

Lemma 18. // a N -round play over w and w' respects 3, then it is a winning 
play for the Duplicator. 

Proof. Let (pi, oi, bi){p2, 02, ^2) • • • (pn, o-n, ^w) be a A^-round play over w and 
w' respecting 3. Let i,j G [1,-/V]- It is easy to see that satisfaction of 3 implies 
that Qi = aj iff bi — bj, ai < aj iff bi < bj, and a^ + 1 = Oj iff 6^ + 1 = bj. 
Moreover, Condition CJ(4-6) obviously guarantees that w{aj) = w'{bj). D 

Given an (i- l)-round play i7i_i = (pi, ai, &i)(p2, 02, ^2) • ■ • (Pi-i, Oi-i, &i-i) 
and fli G N such that a^ ^ {a^3,a^2, ■ ■ ■ ,cii-2,o-i-i}, we define left{ai) = 
max(afc | k G [— 3, i — 1] and Ufc < ai) and right{ai) ~ min(afe | k G [— 3, i — 
1] and ai < ak) (i.e. left{ai) and right{ai) are the closest neighbor of ai). We 
define similarly left{bi) and right{bi). 

We define now a strategy ctd for the Duplicator that respects at each round 
the invariant 3 and this no matter what the Spoiler plays. By Lemma 18, we 
can conclude that this strategy is winning for the Duplicator. Let i G [^,N] and 
iTi_i = {pi,ai,bi){p2,a2,b2) ■ ■ ■ {pi-i,ai-i,bi-i) be a (i - l)-round play. First, 
we define bi ~ a-£){IIi^i, (0,0^)) that is what Duplicator answers if the Spoiler 
chooses position a^ in the w-word w. We have bi = (j£){ni^i, {0,ai)) defined as 
follows: 

— If Oi = aj for some j E [—3,i — 1], then bi = bj] 

— Otherwise, let a; = left{ai) and a-r = right (ai): 

• li tti — ai < ar ^ ai, we have bi = bi + (ai — a;) 

• li ar — ai < ai — ai, we have bi = br — {ar — ai) 

Similarly we have ai — aoilli-i, (1, bi)) defined as follows: 
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— If 6i = bj for some j G [—3, J — 1], then Oj == a^; 

— Otherwise, let bi = left{bi) and br ~ right (bi): 

• li bi — bi < br — bi, we have ai ^ ai + {bi — bi) 

• li br ~ bi < bi -- bi, we have ai ^ Ur — {br — bi) 

Lemma 19. For any Spoiler's strategy as o,'>^d for all i G [0, A'^], we have that 
n'^^''^'^ {w,w') respects 3. 

Proof. The proof proceeds by induction on i. The base case for i = is obvious 
since the empty play respects Of. However, we need to use the fact that M > 2^+^ 
(otherwise condition 3.2 might not hold). 

Let as be a Spoiler's strategy and for every i G [1, A^ — 1], we assume that 
n^lf^ {w,w') respects 3. Suppose that as{n"f^"{w,w')) — {0,ai) and let 
h = aD{n^ff"{w,w'),{0,a,)). 

(1.) Let j,k G [— 3,z]. If j,k G [—3,? — 1], then by the induction hypothesis, 
dj < Cffc iff bj < bk. Otherwise, let suppose j — i and k ^ i (only remaining 
interesting case). If a^ = ajr for some j' G [—3, « — 1], then bi = bji and therefore 
di < flfe iff bi < bk by the induction hypothesis. Otherwise, ai < Oi < Or and 
bi < bi < br which entails that Oi < a^ iff bi < bk. 

(4.) The case j G [— 3,i — 1] is immediate from the induction hypothesis. Now, 
suppose that a_3 < a^ < a_2. If o,i = o,j for some j G [—3, i — 1], then bi = bj 
and a_3 < Oj < a_2. By induction hypothesis, bi = bj — Oj — a^. Otherwise, 
ai < Oi < ar and a; = bi and a^ = 6,. by induction hypothesis. Either ai ^ ai < 
Or — Oi or ar — ai < Oi — ai implies that bi = ai. 

(5.) The case j G [—3, « — 1] is immediate from the induction hypothesis. Now, 
suppose that a_i < a^. If a^ = aj for some j G [— 3,i — 1], then bi ~ bj and 
a_i < Oj. By induction hypothesis, bi = bj = aj+len(s) = ai+len(s). Otherwise, 
ai < Oi and bi — ai + lcn(s) by induction hypothesis. Since o^ = w, we have 
bi = bi + {ai - ai) = Oi + lcn(s). 

(6.) The case j G [— 3,i — 1] is immediate from the induction hypothesis. Now, 
let us deal with j = i. Satisfaction of (4.) and (5.) implies that a_2 < a^ < a_i 
iff &_2 < bi < 6_i. Suppose that a_2 < ^i < fl-i. So, ai < Oi < a^ and by 
induction hypothesis | ai — bi |= mod len(s) and | ar — br |= mod len(s). 
If Oi — ai < Ur — ai, then bi = bi + {ai — ai) and \ ai — bi \ = \ ai — bi \, whence 
\ ai ^ bi \~ Q mod len(s). Similarly, if Or — ai < ai — ai, then bi = br — {ar — Oi) 
and \ Oi — bi \ = \ ar — br \, whence | a^ — 5^ 1= mod len(s). 
(2.-3.) Let j,k G [— 3,i]. li j,k G [— 3, i — 1], then by the induction hypothesis, 
it is easy to verify that 



'•j 


- Ok \< 2^+i-nen(s) iff | b^ - bk \< 2^+i-ncn(s), 


'j " 


- flfe |< 2"'^+"'^^*lcn(s) implies Oj — Ok — bj — bk. 



Indeed, it is a consequence of the stronger properties below satisfied by induction 
hypothesis: 

- \aj -ak\< 2^+2-nen(s) iff \ bj - bk \< 2^+2-ncn(s), 

— \ aj — Ok \< 2^+^~Ten(s) implies Oj — Ok ~ bj — bk. 
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Otherwise, let suppose j = i and k =^ i (only remaining interesting case). If 
Gi — aji for some j' G [— 3,i — 1], then by the induction hypothesis, we have 

— I ay - ofc |< 2^+2-nen(s) iff | b^, - bk \< 2^+2-nen(s), 

— I aji — Ofe |< 2^+^^''len(s) implies aji — Ofe = bji — bk- 

Again, this implies that 

(I) I a, - Ofc |< 2^+i-nen(s) iff | 6, - bk \< 2^+i-nen(s), 
(II) I fli — Ofc |< 2^+-'^~Hen(s) implies Ui — ak ~ bi — bk- 

Now, suppose that there is no j' G [—3, i — 1] such that a^ = aji. 
Case 1: ai — ai < Ur — a^ and bi — bi + (ai — ai). 
Case 1.1: ak < a;. 

— flfe ~ af. \ ai — ak \ = \ bi — bk \ and therefore (I)-(II) holds. 

— ak < ai: li \ ai — ak \> 2^+-'^^*len(s), by induction hypothesis | bi — bk |> 
2^+i-nen(s) and bk < k. So, \ a^ - ak \> 2^+i-nen(s) and \ b, - bk \> 

2-/V+l-i 

If I Qi — ai \> 2^+-'^^*len(s), by definition of bi, \ ai — ai | = | bi — bi \> 
2^+i-nen(s) and bk < k. So, \ a^ - ak |> 2^+i-nen(s) and \ b, - bk \> 

2-/V+l-i 

If I a; - flfe |< 2^+i-nen(s) and \ a^ - ai \< 2^+i-ncn(s), then by induction 
hypothesis \ bi - bk \ = \ ai ~ ak \, \ ai ~ ai \ = \ bi - bi |, ak < ai < ai and 
bk < bi < bi. So \ ai — ak \ = \ bi — bk \, whence (I)-(II) holds. 

Case 1.2: a^ < ak- 

— I ak—ar |> 2^+-'^^Hen(s): By induction hypothesis, | bk — br |> 2^+-'^^Hen(s). 
So, I Uk — Ui \> 2^+-'^~Hen(s) and | bk — bi \> 2^+-'^~Hen(s) since ai < Ur < ak 
and bi < br < bk. 

— \ ak — ttr \< 2^+^~Hen(s): By induction hypothesis, \ bk — br | = | fl/t — a^ |. 
Case 1.2.1. | a^ — a; |< 2^+^^Hen(s). By induction hypothesis, \ a^ — ai | = | 
br — bi I and therefore | br — bi \ = \ ar — ai \. Whence, | &fe — &i | = | flfe — fli | 
so (I)-(II) holds. 

Case 1.2.2 \ Ur — ai |> 2^+^^Hen(s). By induction hypothesis, | br — h \> 
2^+^^'len(s). Moreover, since Oi— a; < Ur — Ui, ar — ai > 2^+^^Hen(s). Since 
bi—bi = ai—bi, we have br~bi > 2^+^~Hen(s) too. So, ak~ai > 2^+^^Hen(s) 
and bk — bi > 2^+^^Hcn(s), which guarantees (I)-(II). 

Case 2: ar — ai < ai — ai and bi = br — {ar — ai). 

Case 2.1: ak > flr- Similar to Case 1.1 by replacing a; by a^, bi by br and, by 

permuting '<' by '>' and '<' by '>' about positions. 

Case 2.2: ak < ai. Similar to Case 1.2 by replacing a^ by ai, br by bi and, by 

permuting '<' by '>' and '<' by '>' about positions. D 

Using Lemma 18 and 19, we deduce that Duplicator has a winning strategy 
against any strategy of the Spoiler in EFn{w,w'), so by Theorem 17, we can 
conclude Theorem 6 [Stuttering Theorem]. 
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F Proof of Lemma 7 

Proof. Let cps = (pi(/i)* ■ ■ ■ Pk-iih-iTPkilk)" ,4'i>^i, ■ ■ ■ ,X'k-i)) be a constrained 
path schema and ip he a first-order sentence. Suppose that 

Pi(?i)"W • • ■Pk-i{lk-ir^''~^^Pk{lkr e L(cps) n Ui:). 

Let B C [0, 2Pi(^i^°(=P=))]'=-i and Pi, . . . , P„ G [0, 2Pi(''i^°(=P=))]'=-i defined for the 
guard (p foilowing Theorem 1. Since n\= (j), there are h G B and a e N" such that 
n = b + a[l]Pi + • ■ • + a[Q!]PQ,. Let a' G N" defined from a such that a'[i] = a[i] 
iia[i] < 2«'*('^)+i + l otherwise a' [i] = 2«''W+i + 1. Note that n' = b + a'[l]Pi + 
• • • + a'[a]PQ still satisfies (f) and for every loop i e [l,k - 1], n[i] > 2«''('^)+^ iff 
n'H > 2«''W+i. By Theorem 6, pi(/i)"'[il • • ■Pk-i{lk-iT'^''-^hk{lkr e L(V'). 
Now, let us bound the values in n'. 

- There are at most 2P2(si='e(cps)) periods. 

- Each basis or period has values in [o, 2Pi("'^°('=p"»]. 

- Each period in n' is taken at most 2'^'^^'^^^^ + 1 times. 

Consequently, each n'[i] is bounded by 

2Pi(sizo(cps)) I f2qh{^) + l I -[^\2P2(sizo(cps)) ^ 2P2 (sizc(cps)) 

which is itself bounded by 2(9''('A)+2)+pi(sizo(cps))+p2(sizc(cps))^ |-| 

G Proof of Lemma 8 

Proof. We want to show that the membership problem with first-order logic 
(with unconstrained alphabets) can be solved in polynomial space in size(cps) -|- 
size(V'). Let cps, ip and n G N*^^^ be an instance of the problem. For i G [1, k — 1], 
let n'[i] = min(n[i], 2'''*(''''+^ + 1). By Theorem 6, the propositions below are 
equivalent: 

- Piai)"[^i • • -Pk-iiik-ir^^-'^Pkiikr e h^), 

- Pi(/i)"'[^i • • ■Pk-iiik-ir'^'-'^Pkiikr G H4')- 

Without any loss of generality, let us assume then that n G [0, 2'^'^'-^^^^ + l]'^^^. 
Let us decompose w — pi{li)'^^^^ ■ ■ •Pfc-i(^fe-i)"''^ "'^'pfc('fe)" as u ■ (u)" where 
u — _pi(/i)"'^l • • •pfc-i(^fc-i)"''^~^'pfc and V = Ik- Note that the length of u is 
exponential in the size of the instance. We write ip to denote the formula tp in 
which every existential quantification is relativized to positions less than len(u)-|- 
len(w) X 2'^^'^'^\ This means that every quantification '3 x ■••'is replaced by 
'3x< (len(u)-hlen(w)x2«''W) • • • '. By [17], we knowthat w \^ip\Ww ^ -0. Now, 
checking w |= -0 can be done in polynomial space by using a standard first-order 
model-checking algorithm by restricting ourselves to positions in [0,lcn(M) -|- 
len(ii) X 2*''('^)] for existential quantifications. Such positions can be obviously 
encoded in polynomial space. Moreover, note that given i G [0, len(-u) -I- len(v) x 
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Algorithm 1 FOSAT(cps, n, V-, /) 



1: if (/> = a(z) then 

2: Calculate the /(z)th letter 6 of w and return a — b. 

3: else if xp is of the form -^xp' then 

4: return not FOSAT(cps, n, ^', /) 

5: else if ^ = i/)i A i/'2 then 

6: return FOSAT(cps, n, t/'i, /) and FOSAT(cps, n, ^'2, /)• 

7: else if xp is of the form 3z < m tp' then 

8: guess a position k £ [0, m, — 1]. 

9: return FOSAT(cps,n,'(/'',/[z>-^fc]). 

10: else if <p is of the form R{z, z') for some R G {—, <, S} then 
11: return i?(/(z),/(z')). 
12: end if 



29'»(V')]^ one can check in polynomial time what is the ith letter of w. Details are 
standard and omitted here. By way of example, the ith letter of w is the first 
letter oi Ik iS i > a and {i ^ a) ~ mod lcn(Zfc)) with a ~ (Z'^^m jt_i](lcn(pj) + 
len(;j) xn[j])) + \en{pj). 

Polynomial space algorithm for membership problem is obtained by comput- 
ing FOSAT(cps, n, tp, /o) with the algorithm FOSAT defined below (/o is a zero 
assignment function). Note that the polynomial space bound is obtained since the 
recursion depth is linear in size(i/') and positions in [0, len(M)-|-len(z;) x 2'^'^^'^^] can 
be encoded in polynomial space in sizc(cps)+size('(/')- Furthermore, since model- 
checking ultimately periodic words with first-order logic is PSPACE-hard [17], we 
deduce directly the lower bound for the membership problem with FO. D 

H Proof of Theorem 10 

First, we establish the result below. 

Lemma 20. Let w £ L(i3) for a Biichi automaton B — {Q,I.,qo, /^, F), such 
that w ~ wi.u^'l'^l .W2 for some k, then there exist an integer K G [1, \QW such 
that for all N e [1, |g|'=^-2]^ u;i.u2.|QI'=-(if xAr)^^^ e L(B). 

Proof Let B = {Q,Z,qo,A,F). Since w = wi.u^-"''"^'^'^^'' .W2 e L{B), there ex- 
ists an accepting run p £ Q" for w. We will construct an accepting run for 
w' — wy.iP''^^^^'^''^^ ^(^^^^u'2 in B using p. In w, u is repeated 2.card(Q)'^ 
times. Consider the first card((5) + 1 iterations of u. Let the positions where 
the iterations of u starts be ?Tii,TO2, ■ • • , Ti^arcifQi+i- By pigeon-hole principle, 
there exists some states q £ Q such that for some i < j € [l,card((5) -I- 1], 
p{mi) ~ pifTT-j) = Q- Let ai ^ j — i + 1. We consider card((5) -I- 1 itera- 
tions of u after rrij. We proceed as before to obtain a2 and so on. Since u 
is repeated 2.card(Q)'^ times, we will obtain at least card((5)'^^^ (possibly dif- 
ferent) values as ai,a2,--- ,acard(Q)'=-i £ [l,card((3)] because card(Q)'^^^ x 
(card(Q) + 1) < 2.card(Q)'^. Again, by pigeon-hole principle, we know that 
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^J2 

fc-2 



there exists Ji, J2j • • • , Jcard(Q)'«-2 G [1, card((5)'^ -'^J such that aj-^ 

. . . ~ aj j,_2 = iiT for some K G [1, card((5)] because K x card(Q)*^^ < 

card((5)*'~^. Note that for each such aj, j G {ji, J2, • • • , JcardfQ)'"-^}, we have 
a corresponding different loop structure in p where we have positions a and b 
in w such that w[a,b] = (u)^ and p{a) = p{b) = q for some g G Q as shown 
in Figure 1. Hence, the run p{l) . . . p{a).p{b) ... is still an accepting run in B 
for i«i.u^-^^'''*('3) ^(^).W2. Since, there are card((5)'^^^ such loops, it is easy to 
see that for every N G [1, card((5)'^~^], we can remove the loops corresponding to 
a,, , a,,, . . . , aj„ and have an accepting run for the word wi.u^-^^'''*'^'^) -(k-kN) 



'■01 1 "^^2 1 

inB. 



■ W2 

D 









Fig. 1. Shape of a sample run 



Proof (Theorem 10). Since L(cps) n L(,S) ^ 0, there exist an infinite word w 
such that w G L('B) H L(cps). Let y G N'^^^ be the vector such that w = 
Pi(?i)yW ...pfe_i(/fe_i)y['=-ilpfc?|'. We wiU now prove that either y G \{) ^'poh^^^-^^^v^)) - 
2.size(S)'= X 2P°ii(''i^°(=P=))+P°i2('5i^e(=P=))]fc-i or we can construct another word 



w 



Pi{h 



\y'm 



.Pk-i{ik-iY'^''Skit 



such that y' G [0, 2p°'i('''^°('^p^)) + 2.size(;B)'^ x 2P°^i(^'^''('=P^))+P°^2(sizo(cps))ifc-i 
and w' G L(cps) n L(B). Since, y ^ 0(xi, . . . ,Xfe-i) and 0(xi, . . . ,Xfc_i) is a 
quantifier-free Presburger formula, we know that there exist b. Pi, P2 • • • Pq G 

[Q^2P°ii(«i^<=(=P^))]fc-i and a < 2P°'2(Biz<=(cp=)) such that y = b + Z'.gfi^^ja^.Pi 

for some (oi, 03, . . . , a^) G N". Let us assume that y ^ [Q, 2p°^i(^'^<=(=p^)) + 
2.size(S)'= X 2P°ii(^i^<=(=P^))+P°i2(Biz<=(cp=))]fe-i and hence there exists some a^, j G 
[l,a] such that aj > 2.card((5)'^. We would like to find a such that y' 



b + r,:, 



s. 



ieb+i,Q] 



i6[ij_i]ai.Pi + (cj - a)Pj 
1. For any a < Oj, we have that, w' with y' 



.P, and 



Pi{h 



^y'[i] 



• Pfc-i 



i:. 



ie[]+iM' 



b + Z'ig[i j^ijOi.Pi + {aj 
G L(cps). Indeed by selecting any a G 



flj - 2.card(g)'=], we will obtain y' G [Q, 2P°1i("'^'=(=p^)) + 2.size(S)'= x 

2poli(sizE(cps))+pol2(sizc(cps))lfc-l ^Jigj-g y;' (= L(cps). 
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2. For showing that there exists a value for a such that y' e [0, 2p°1i(^'^'=(=p^)) + 
2.size(B)'=x2P°ii("'"°('=P"))+P°i2(^Wcps))]fe-i andw' e L(S) we wiU use Lemma 

20. For each me [l,fc — 1], we take r™ = (^m)^^'™' i-e. Vm is Pji^Ti] copies 
of Im- Note that by our assumption, for each m € [l,fc — 1] we can fac- 
tor ui as w = w™.(rm)"'".w™ where a„i > 2.card((5)'^. Thus, applying 
Lemma 20, we get that there exist Km G [l,card((5)] such that for any 
Nm e [l,card(g)'=-2], w" = w5".(r„)'^'"-(^-^-^-).w^ e L{B). For each 
m G [1, k] we take A''^ = Ki x iir2 • • • -ft'm-i x -S'm+i • • • -^'fc-i which is less 
than or equal to caid{Q)''~^. It is clear that for each m G [l,fc — 1], the 
number of iteration of r^ we reduce is Nm x K^ and is same for all m, 
Njn X Km ~ Ki X K2 ■ ■ ■ Kk-i- Combining the result of Lemma 20 for every 
loop Im, m <E [1, fc — 1] and taking a = Ki x K2 ■ • ■ Kk-i in y' we obtain w' 
such that w' e L(B). 

We can continue the process to obtain y' e [Q, 2p°^i("'^'=(=p^)) + 2.size(B)'' x 

2poli(sizo(cps))+pol2(sizo(cps))lfe-l .^-^^ ^l ^ lj(B). D 

I Proof of Lemma 11 

Proof. Consider any given specification A in BA, a constrained path schema 
cps.We would first construct the Biichi automaton Ba corresponding to A as 
explained in Section 2.3. Recall, that A in BA has transitions labelled with 
Boolean combination over at U agn whereas the equivalent Ba has transitions 
labelled with elements of E = 2"*^"^". Hence, in effect, Ba could have an ex- 
ponential number of transitions. On the other hand by definition cps is defined 
over an alphabet E' C E. By Lemma 3, we know that BA has the nice subal- 
phabet property. Hence, we can transform A over E to A' over E' in polynomial 
time. The Biichi automata Ba' obtained from A' following the construction in 
Section 2.3 has transitions labelled by letters from E'. Clearly in this case the 
number of transitions in Ba' is polynomial in size(cps). We obtain the following 
equivalences, 

— using Lemma 3 and the fact that L(cps) C (E')"^, L(j4)nL(cps) is non-empty 
iff w G L(A') n L(cps) is non-empty. 

— Since, Ba' is obtained from A' following the construction from Section 2.3, 
1j{Ba') n L(cps) is non-empty iff ui G L(A') n L(cps) is non-empty. 

Checking 1j{Ba') H L(cps) amounts to guessing n G /baI-Ba', cps) and checking 
for w = p(?i)"[il • • -pk-iilk-iT^^'^^Vklt. w e HBa') n L(cps). We know that 
checking w G \j{Bai) H L(cps) is in PTiME and the construction of Ba' from A 
takes only polynomial time. Thus, checking L(j4) n L(cps) is non-empty can be 
done in polynomial time. D 

J proof of Lemma 13 

Proof. First we prove that the membership problem for C having the nice BA 
property is in PSpace. Let Ae C over the constrained alphabet {at, agn, E) and 
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let w = pi(Zi)"[^l • • •pfe_i(/fe_i)"[''"^lpfe(Zfc)" be a word over L. We would like to 
check whether w G L(yl) which is equivalent, thanks to the nice BA property, to 
check whether w G L{Ba)- 

To verify if w G h{BA), we try to find a "lasso" structure in Biichi automaton. 
Assume Ba = {Q,^,^,qi,F)- We proceed as follows. First, we guess a state 
qf (z F and a position j S [l,len(Zfe)]. Then we consider the two finite state 
automata Ai = {Q, E, goi ^, {?/}) ^-iid A2 = (Q, ^, Qf, ^, {qf})- And our method 
returns true iff both the following conditions are true: 

2. L(A) n L{lk[j + 1, \cn{lk)]lilk[l,j]) 7^ 0. 

We will now show the correctness of the above procedure. First let us assume 
that w = Pi{li)^^^^ ■ ■ ■ Pk-i{lk-i)^^'^~^^Pklk G L(S^). Thus, there is an accepting 
run p £ Z\" for w in Ba- According to the Biichi acceptance condition there 
exists a state qf e F which is visited infinitely often. In w only Ik is taken 
infinitely many times. Thus, Ik being of finite size, there exists a position j S 

[l,len(/fc)] such that transitions of the form q -^ — > qf for some q £ Q occurs 
infinitely many times in p. Thus, for p to be an accepting run, there exists 
w' = L(pi(?i)y[il . . .pfe_i(/fe_i)y[''"ilpfe?fc[l,j]), which has a run in Ba from qt 
to qf and there must exists words w" e ^{lk[j + 1; len(/fe)]?^lfc[l, j]) which has 
a run from qf to qf. Hence we deduce that w' G L(^i) and L{A2) n lj{lk[j + 
l,\en{lk)]lllk[^,j]) y^ 0- Thus, there exists at least one choice of qf and j, for 
which both the checks return true and hence the procedure returns true. 

Now let us assume that the procedure returns true. Thus, there exists qf £ F 
and j e [l,len(/fe)] such that wi = PiihY^^'^ ■ ■ ■Pk-i{lk-iy^''^^'^Pklk['^J] is in 
L(^i) and L{A2) H L{li.[j + l,\en{lk)]lllk[i,j]) 7^ 0- From the second point, we 
deduce that there exists a word W2 = lk[j + 1, len(lfc)]/^/fc[l, j] £ L{A2) for some 
n. Consider the word w — wi.{w2)'^- First we have directly that w G L(cps). 
And by construction of Ai and A2 we know that wi has a run in Ba starting 
from qi to qf and W2 has a run in Ba starting from qf to qf. Since qf is an 
accepting state of Ba, we deduce that w G L{Ba)- 

The proof that the above procedure belongs to PSpace is standard and used 
the nice BA property which allows us to perform the procedure "on-the-fiy". 
First note that for A in C having the nice BA property, the corresponding Biichi 
automaton Ba can be of exponential size in the size of the A, so we cannot 
construct the transition relation of Ba explicitly, instead we do it on-the-fly. We 
consider the different steps of the procedure and show that they can be done in 
polynomial space. 

1. Ai and A2 are essentially copies of Ba and hence their transition relations 
are also not constructed explicitly. But, by the nice BA property, their states 
can be represented in polynomial space. 

2. Checking pi(?i)y[il ...pfc_i(/fe_i)y['=-ilpfc^fc[l,. 7] e HAi) can be done by sim- 
ulating Ai on this word. Note that for simulating Ai, at any position we 
only need to store the previous state and the letter at current position to 
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obtain the next state of ^i. Thus, this can be performed in polynomial space 
in size(j4) and size(cps) + size(y). 
3. Checking L{A2) r\L{lk[j + l,\en{lk)]ll.lk[i-,j]) ^ can be done by construct- 
ing a finite state automaton Aioop for L(^fcb + ljlcn(/fc)]Z^Zfe[l, j]) and by 
checking for reachability of final state in the automaton A2 x Aioop- Note 
that size(^;oop) is polynomial, but since size(^2) can be of exponential size, 
size(^2 X Aioop) can also be of exponential magnitude. However, the graph 
accessibility problem (GAP) is in NLogSpace, so Ij{A2) fM^{Aioop) 7^ can 
also be done in nondeterministic polynomial space. 

Thus, the whole procedure can be completed in nondeterministic polynomial 
space and by applying Savitch's theorem, we obtain that for any C, satisfying 
the nice BA property, the membership problem for C having the nice BA prop- 
erty is in P Space. 

Now we will prove that the intersection non-emptiness problem for C having 
the nice BA property is in P Space too. Let A in C with the nice BA property 
and let cps = (piih)* ■ ■ ■pk-iilk-i)*Pk{lk)'^ ,4'{m, ■ ■ ■ ,^k-i)) be a constrained 
path schema. Thanks to the nice BA property we have that L(cps) n L{A) ^ % 
iff L(cps) n 1.{Ba) + 0. Using Theorem 10 we have L(cps) n \.(Ba) 7^ iff there 
exists y e [0,/ba(Ba,cps)]'=-i such that piihY^^^ ■ ■Vk-i[lk-iy^''-^^Vklt e 
L(B^)nL(cps) where Jba(JBa, cps) is equal to 2P°ii('''^°('=P=))+2.card(Q)"'^'=('=P") x 
2poii(size(cps))+poi2(size(cps)) (g ^^gj^^g |.j^g gg^ of states oi B A whose cardinality is, 

thanks to the nice B A property, at most exponential in the size of A) . Hence our 
algorithm amounts to guess some y S [0, /b^(;B^, cps)]'^^^ and check whether 
w=px(lxy^^^---Vk~\{lk-\y^^~^^Vk{lkY e L(cps)nL(A). Since the membership 
problem for A can be done in PSpace and since the y[i] can be encoded in 
polynomial space in the size of A and CVS. we deduce that the intersection 
non-emptiness problem for L with the nice BA property is in PSpace. D 



K Proof of Theorem 15 

Proof. (H) is direct consequence of (I). 

First, we recall that an alternating finite automaton is a structure of the 
form A = {Q,'L,5,qo,F) such that Q and E are finite nonempty sets, 6 : Q x 
T. — !> B+((5) is the transition function (]B+((5) is the set of positive Boolean 
formulae built over Q), qo G Q and F G Q. The acceptance predicate Ace C 
Q X Z* IS defined by induction on the length of the second component so that 
(1) {qf,s) G Ace whenever qj E F and (2) {q, a • w) G Ace iff w ^ 5{q, a) where 
V is the Boolean assignment such that v{q') = T iff {q',w) G Ace. We write 
L(^) to denote the language {w G E* : (<ZojW;) G Ace} and more generally, 
L{A,q) ^ {w <E T.* : {q,w) G Ace}. It has been shown in [9] that checking 
whether an alternating finite automaton A with a singleton alphabet has a non- 
empty language L(^) is PSPACE-hard. Without loss of generality, we can assume 
that (*) qo ^ F, (**) for every g/ G F, S{qf,a) —1. and (•••) for every q G Q, 
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S{q, {a}) ^ T , assuming that a is the only letter, and still preserves PSpace- 
hardness. Indeed, let A ~ {Q,{a},S,qa,F) be an alternating finite automaton 
and A' = (Q', {a}, 6', gj''^, {gf ^}) be its variant such that Q' = Q^iq^""", q}™}, 
^'(<Zo°"'") ~ 9o, S'{qj^'^,a) =± and for every q € Q, S'{q,a) is obtained from 
6{q,a) by simultaneously replacing every occurrence oi qf <E F by (qf V q^^)- 
In the case, 6{q,a) = T with q <E Q, S'{q,a) is defined as g V g^''^. It is clear 
from the construction that A' follows the conditions of our assumption and 
L{A') = a ■ L(^); whence L(^) is non-empty iff Ij{A') is non-empty. 

In order to prove the result for ABA, it is sufficient to observe that given an 
alternating finite automaton A built over the singleton alphabet {a}, one can 
build in logarithmic space an alternating Biichi automaton A' over the alphabet 
{a, b} such that 'L{A') = ^{A) ■ {&}"• Roughly speaking, the reduction consists in 
taking the accepting states of ^ and in letting them accept {6}" in A'. PSpace- 
hardness of the intersection non-emptiness problem for ABA is obtained by 
noting that L(^) is non-empty ifl: L((a* • b"^, T)) n L{A') ^ 0. 

Now, let us deal with /iTL. The PSPACE-hardness is essentially obtained by 
reducing nonemptiness problem for alternating finite automata with a singleton 
alphabet (see e.g. [9]) into the vectorial linear /i-calculus with a fixed simple 
constrained path schema. Reduction in polynomial-time into linear /i-calculus is 
then possible when formula sizes are measured in terms of numbers of subformu- 
lae. This is a standard type of reduction (see e.g. [27, Section 5.4]); we provide 
details below not only to be self-contained but also because we need a limited 
number of resources: no greatest fixed point operator (e.g. no negation of least 
fixed point operator) and we then use a simple path schema. In the sequel, for 
ease of presentation, we consider this latter class of alternating finite automata 
and we present a logarithmic-space reduction into the intersection non-emptiness 
problem with linear /i-calculus. More precisely, for every alternating finite au- 
tomaton A built over the singleton alphabet {{p}}, we build a formula i/)^ in 
the linear /t-calculus (without X^^ and the greatest fixed-point operator v) such 
that L(^) is non-empty iff there is {p} ■ {p}"^ • 0"^ in L(cps) with the constrained 
path schema cps = ({p} • {p}* • 0"^, T) and {p} • {p}"i • 0^^ ^ i/)^. In order to 
define 0_4, we build first an intermediate formula in the vectorial version of the 
linear /i-calculus, see e.g. similar developments in [27, Section 5.4], and then 
we translate it into an equivalent formula in the linear /x-calculus by using the 
well-known Bekic's Principle. 

Let A = {Q, {{p}}, S, qo, F) be a alternating finite automaton with a singleton 
alphabet such that qo ^ F, and for every qf G F, S{qf, {p}) —^. We order the 
states oi Q \ F with gi, . . . , Qq, such that qi is the initial state. 

We define the formulae in the vectorial version of linear /i-calculus ipl, . . . , 

V'°, ^1, • • • , V'i-i, • • ■ , V'l, • • • , V'a-j: • • • > ^""^ and such that ^i zi • ^-""^ be- 
longs to the (standard) linear /i-calculus. Such formulae will satisfy the following 
conditions. 



(I) For all n > 1, {p}" G L(^) iff {p}" • 0" h m(zi, • • • , Za) (^?, . . . , ^^) ■ zi. 

-3/ 



(II) For all j G [0,(2 — 1], /i(zi, . . . , Zq,_j) (?/;^, . . . , 'i/;^_ ) ■ zi is equivalent to 

/i(zi, . . . ,Za_j_i) (V'l + \ . . . , V'a^^,-_l) • Zl- 



(Ill) Consequently, for all n > 1, {p}" G L(^) iff {p}" • 0" h= A^ zi • V'""^ and we 
pose cf)_A^ ^izi -ipi^^. 

Let us define below the formulae: the substitutions are simple and done hi- 
erarchically. 

(init) For every i S [1,Q;], ijj^ is obtained from S{qi,{p}) by substituting each 
Qj G Q\F by Xzj and each qf E Fhy X-ip, and then by taking the conjunction 
with p. So, ipi can be written schematically as p A S{qi, {p})[qj <— Xz^, qf <— 
X-p]. 

(ind) For every j G [1, a — 1], for every i E [l,a — j], ^pf is obtained from -0^ 
by substituting every occurrence oiza-j+i by /iZa^j+i V'a-i+i- 

Note that /i zi • -0"^ can be built in logarithmic space in the size of A since 
formulae are represented as DAGs (their size is the number of subformulae) and 
for all j G [1, a — 1] and « G [1, a — j], ipf has no free occurrences of Zq-j+i, . . . , 

Za. 

It remains to check that (I)-(III) hold. First, observe that (III) is a direct 
consequence of (I) and (II). By Bekic's Principle, see e.g. [1, Section 1.4.2], 

li{zi,...,Zj) {(pi{zi, . . . ,Zj), . . . , (pj{zi, . . . ,Zj)) -Zi is equivalent to 

^(Zl, . . . ,Zj_l) (^l(zi, . . .,Zj^l,(p'), ..., (y3j_l(zi, . . .,Zj^l,(p')) ■ Zl 

where </?' = iiZj fj{zi, . . . , Zj). Note that the substitution performed to build the 
formula follows exactly the same principle. For every j G [l,a — 1], we obtain 

(V'i, • • • , V-a-j) by replacing z„_j+i by /iZa-j+i V-alj+i in {i^r\ ■ ■ ■,i^iZ]+i). 
Thus by Bekic's Principle, 

^(zi,...,Z„-j) (V'i,...,V'i-j) -Zl ^A*(zi,---,Z«-j-l) (V'r\---,V'a-j-l) -Zl 

is valid for all j G [0, a — 1]. It remains to verify that (I) holds true. 

In vectorial linear /x-calculus, formulae with outermost fixed-point opera- 
tors are of the form ii{zi, . . . , z^)(0i, . . . ,(j)p) ■ Zj with j G [1, /?]. Whereas fixed 
points in linear /x-calculus are considered for monotone functions over the com- 
plete lattice (2^, C), fixed points in vectorial linear /x-calculus are considered for 
monotone functions over the complete lattice ((2^^)^, C), where (Yi, . . . ,Yp) C 
(F/, . . . , Fo) iff for every i G [1, /3] , we have Yi C Yl . So, the satisfaction relation is 
defined as follows. Given a model a G (2'^'^)", ct, i ^/ /i(zi, . . . ,z^)(0i, . . . , 0^)-Zj 
(assuming that the variables z^ occurs positively in the 0i's) iff i G Z^ where 
(Zf , . . . , Z't) is the least fixed point of the monotone function Tf^a ■ (2^)^ — >■ 
(2N)'3 defined by TjAyi,- ■ ■ ,yp) = (X, • • • , 3^^) where 

y'l ^^ {i' G N : a,i' h/[zi^3;i,...,z^^j;^] M 

It is well-known that the least fixed point (Zf , . . . , Zn) can be obtained by an it- 
erative process: (Z?, . . . , ^O) ^=^ (0, . . . , 0), {Zl+\ . . . , Z^+i) ^=' Tf^Zl- ■ ■ , Z},) 
for alH > and, (Zf , . . . , Z^) = U^(^^ • • • , ^fl)- 
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Let (T„ be the model {p}"-0" with n > 0, /0 be the constant assignment equal 
to everywhere and -^/a,o-„ be the monotone function ^/0,o-„ : (2^)" -^ (2'^)" 
defined from fi{zi,. . .,Zq,) {ip^,. . . ,-0q) -Zi. 

Let us show by induction that for every i £ [^,n\, the ith iterated tuple 
{Zl, . . . , Z^) verifies that for every I <E [1, a], u £ Zi iS u E [n — i,n — 1] and 

{p}"-"eL(A<zO- 

Base Case: i = 1. The propositions below are equivalent {I £ [1,q:]): 

-ue Zl, 

— CT„,u h/0[zi^0,...,z„^0] V'? (by definition oiTf^^^J, 

— (yn,u |=/9[zi^0....,z„^0] P A 5{q,,{p})[qj ^ y^Zj,qf ^ X-.p] (by definition of 

— CT„, u ^ p A 6{qi, {v})[qj ^^, qf ^ X-ip] (by definition of ^), 

— (T„,M ^ p and there is a Boolean valuation v : Q -^ {±, T} such that for 
every q £ {Q \ F), we have v{q) =± and v ^ 6{qi, {p}), 

— (T„, u H Pj '^rn M + 1 H ~'P ^i^'i ('Zii {p}) ^ ^cc (by definition of Ace and by 
assumption (*••)), 

— u — n — 1 and {p}"^" G L(y^, qj) (by definition of cr„ and L(^, q;)). 

Before proving the induction, we observe that we can also show by induction, 
that for all / £ [1, a] and i, Zl[ C [n — i, n — 1] (f). 

Induction Step: Now let us assume that for some i £ [1, ri], the ith iterated tuple 
{Z\, . . . , Z^) verifies that for every I G [1, a], u € Z^ iS u (^ [n — i,n — 1] and 
|p|n-« g L{A, qi). We will show that the same holds true for {i + l)th iteration 
(Z}+\...,Z^+i). Since Z^ C Zi+^ (monotonicity), for every u £ Z*+i n Z^, 
we have u £ [n — i — l,n — 1] and {p}"~" £ L{A,qi) (since [n — i,n — 1] C 
[n — j — l,n— 1]). Similarly, if m £ [n — i,n—l] and {p}"^" £ L(^, qi), then m £ Zi 
by induction hypothesis and therefore u £ Z; . Hence, it remains to show that 
u £ {Zi+^ \zf)[Su = n-i~l and {p}""" £ L{A,qi) (i.e. {p}*+i £ L(Aqi)). 
By (t), it is sufficient to show that (n - « - 1) £ Z[+^ iff {p}*+^ £ L{A,qi). 

The propositions below are equivalent (^ £ [l,a], i > 1, n — i — 1 > 0): 

-in-^-l)eZi+\ 

— an,n-i-l h/0[zi^z;,...,z„^zj] ■'P? (by definition of J}+^^), 

— a„,n- i - I h/(,[zi^z;,...,z„^z;] P A (5(<7j, {p})[qj ^ XZj,g/ ^ X^p] (by 
definition of -0"), 

— (7„,n — i — 1 j=p and there is a Boolean valuation v : Q — > {±, T} such that 

1. for every qii £ (Q \ F), we have ^(gc) = T iS n — i £ Z^, , 

2. for every qy £ F, v{qf) =-L, 

ti \= 5{qi, {p}) (by definition of \^ and J > 1), 

— there is w : Q ^ {±, T} such that 

1. for every qi' £ (Q \ F), we have v{qii) = T iff n — « £ [n — i,n — 1] and 
(«',{p}*) e Ace, 

2. for every g/ £ F, w((7/) =^, 

and w ^ '5(g(, {p}) (by induction hypothesis and since n — i — l£[0,n — 1]), 

— there \s v : Q ^ {±, T} such that 

1. for every qi £ (Q \ F), we have v{qii) = T iff (g;/, {p}*) £ Ace, 
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2. for every qf G F, v{qf) —1. 
and V \= S{qi, {p}) (by propositional reasoning), 

— there is v : Q ^ {±, T} such that 

1. for every qi' G (Q \ F), we have v{qi>) = T iff {qi> , {p}*) G Ace, 

2. for every qf G F, w(g/) == T iff {qf, {p}*) G Ace, 

and V 1= (5(g;, {p}) (since i>l, S{qf, {p}) =_L and {qf, {p}') ^ ylcc), 

— {qi, {p}*^^) G Ace (by definition of Ace), 

— {py+' eL{A,qi). 

Thus, for every i G [l,n], the ith iterated tuple {Zl, . . . , Z^) verifies that 
for every I G [l,a], u e Zf iS u e [n - i,n - 1] and {p}"~" G L{A,qi). So, 
{p}" G UA) iflF G Zi". Since (Zf , . . . , Z^) is precisely equal to (Z^", . . . , Z^) 
because of the simple structure of (t„ (see (f), we conclude that {p}" G L(A) iff 
a„,0 \= fi{zi,...,Za) (V'i,...,V'°) -zi, whence (I) holds. 

From (III), we conclude that L{A) is non-empty iff there is {p} • {p}"^ • 0" in 
L(cps) with cps = ({p} • {p}* • 0"^, T) such that {p} • {p}"i • 0" ^ </)^. Since cps 
and 0^ can be computed in logarithmic space in the size of A, this provides a 
reduction from the nonemptiness problem for alternating finite automata with 
a singleton alphabet to the intersection non-emptiness problem with linear /z- 
calculus. Hence, the intersection non-emptiness problem is P Space- hard (we use 
only a fixed constrained path schema and a formula without past-time operators 
and without greatest fixed-point operator). D 



L Proof of Corollary 16 

Proof. The proof takes advantage of a variant of Theorem 2 (whose proof is 
also based on developments from [5] ) in which initial counter values are replaced 
by variables. Below, we prove the results for BA, which immediately leads to a 
similar result for ABA, ETL and /xTL. 

Let S* be a fiat counter system of dimension n built over atomic constraints 
in at U agn, q be a control state and A be a specification in BA (i.e. a Biichi au- 
tomaton whose underlying constrained alphabet is {at, agn, ^))- A parameterized 
constraint path schema (PCPS) is defined as a constrained path schema except 
that the second argument (a guard) has also the free variables zi , . . . ,z„ dedi- 
cated to the initial counter values. Remember that a constrained path schema 
has already a constraint about the number of times loops are visited. In its pa- 
rameterized version, this constraint expresses also a requirement on the initial 
counter values. Following the proof of Theorem 2, one can construct in exponen- 
tial time a set X of parameterized constrained path schemas such that: 

— Each parameterized constrained path schema peps in X has an alphabet of 
the form {at, agn, T,') (E' may vary) and peps is of polynomial size. 

— Checking whether a parameterized constrained path schema belongs to X 
can be done in polynomial time. 
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— For every run p from {q, v), there is a parameterized constrained path schema 
peps and w G L(pcps[v]) such that p \= w where pcps[v] is the contrained 
path obtained from peps by replacing the variables zi, . . . ,z„ by the counter 
values from v. 

— For every parameterized constrained path schema peps, for every counter 
values V, for every w G L(peps[v]), there is a run p from ((j, v) such that 
p^w. 

The existential Presburger formula 0(zi, . . . , z„) has the form below 
V V (3 yi,...,yAf 3 xi,...,Xfe_i 

V'9.„.t,g(yi7---,yM) A (yi = al + a\xi -\ h a\_^Xk-i) A ••• 

• ■•A (yu = a^^ + af xi H h a^iX^^i) A -(/"(xi, . . . ,Xfe_i, zi, . . . ,z„)) 

where 

1. {at, agn, S') is the alphabet of peps, M = card(E') and by the nice subalphabet 
property, there is a specification A' such that L(A') = L(^) n (E')". 

2. qinit is an initial state of A' and g is a state of A' . 

3. il'qi„it,qiyij ■ ■ ■ jYm) is the quantifier-free Presburger formula for the Parikh 
image of finite words over the alphabet E' accepted by A' (viewed as a finite- 
state automaton) with initial state qinit and final state q. V'(ji„it.9(yi: • • • : Ym) 
is of polynomial size in the size of Biichi automaton. 

4. peps = (piih)* •••pfe-i(/fe-i)*Pfc(Zfc)",V'(xi,---,Xfc-i,zi,---,z«))- 

5. For each letter Uj, we write a^ , . . . , ct^_i to denote the natural numbers 
such that if each loop i in peps is taken Xj times, then the letter aj is 
visited a^ + a{xi + • ■ • + a^_;^Xfe_i times along pi{h)* ■ ■ ■pk-i{lk-i)*Pk- 
Those coefficients can be easily computed from pi{li)* ■ ■ ■ pk-i{lk-i)*Pk (for 
instance a\ is the number of times the letter aj is present in the first loop). 

6. Finally, observe that checking whether (Ik)'^ S L(A' ) where A' is defined as 
the specification A' in which the unique initial state is q, amounts to perform 
a nonemptiness test between two Biichi automata. 

FO admits a similar proof but it is based on Theorem 6 (actually the proof 
is much simpler because the number of times loops can be visited depends es- 
sentially on a threshold value). For FO, it is sufficient to consider the formula 
below: 

V V 

3 Yi ••• Yfc-i V(yi,---,yfc-i,zi,...,z„) Af/;! A ••• Aipk-i 
where 

1. peps = (piih)* •■•pfe_i(/fc_i)*pfc('fc)",V'(xi,---,Xfc-i,zi,---,Zn)), 
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2. {at,agn,'^') is the alphabet of peps and by the nice subalphabet property, 
there is a specification A' such that L{A') = L{A) n (E')". 

3. the third generaUzed disjunction deals with y £ [0, 2^'^°^'^ )+^ + f]*^^^. 

4. For i e [f , fc - 1], V^ = (yi = a) if y[i\ < 2'''^°(^')+i + 1 otherwise i^, = (y, > 

2sizo(A') + l I 2 

D 
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